Lync Client: Certificate Authentication Problem

-
Very often I'm ask about this problem:

English:
Lync cannot verify that the server is trusted for your sign-in address. Connect anyway?

German:
Lync kann nicht überprüfen, ob der Server für Ihre Anmeldeadresse vertrauenswürdich ist. Trotzdem verbinden?


Explanation:
Lync Client 2013 has an additional safety check implemented.
This verify the users SIP Domain with the FQDN of Lync server where the user tries to connect with.
In the most customer environments, the SIP domain is different from the Active Directory domain. It usual and normal. Possible the SIP domain will match the SMTP domain, so user can easily experience Unified Communication, and the communication addresses are the identically.

If you are in an lager enterprise, it's quiet a hassle if all users would have to click the acknowledgement. We need a solution!

How to solve this problem, there are two methods
A manual way and a GPO based solution.

If you are adjusting the Lync Client manually, you have to navigate to:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\Lync
here you need to modify or add the "new String Value" TrustModelData
in this key, you need to add the server listed in the warning.
e.g. lyncpool.domain.sip

the second method by using the group policy:
add the registry settings in, e.g. the default domain policy or a dedicated client policy.
(possible: you implement the Office 2013 Administrative Template)


References:
TechNet German: http://support.microsoft.com/kb/2833618/de
TechNet English: http://support.microsoft.com/kb/2833618/en-us
Office  2013 ADMX: http://www.microsoft.com/en-us/download/details.aspx?id=35554

Comments

  1. UnknownNovember 20, 2013 at 7:01 AM

    dear thomas
    i cannot logging from work group system. it asking for certificates which is i all ready installed still giving me error.

    ReplyDelete
    Replies
    1. Thomas PoettNovember 20, 2013 at 9:14 AM

      Hi John,
      you need the root certificate from your internal PKI installed on this WG Clients

      Delete

Post a Comment

Popular posts from this blog

Cannot join external Lync Meeting: Lync Edge Server Single IP Address (Lync Edge Server Single IP Web Conferenceing Problem)

-
Image
Lync Edge Server FQDN and IP PORTS (Version 1.2, Update 26.11.2014) As we all know, we can configure Lync Edge Server in several way. 1) Single Edge Server with a SINGLE IP ADDRESS 2) Single Edge Server with MULTIPLE IP ADDRESSES (3x IPs) 3) Multiple Edge Server in a Pool, with MULTIPLE IP ADDRESSES (Zx 3 IPs) Regardless what we are going to configure, there are common / well-known TCP Port necessary making Lync work, which are: Access: Port: 443 and 5061 Conferencing: Port: 443 and (444) AV: Port: 443 (I have not listed other ports, e.g. STUN or the dynamic port range. This is not required for the topic discussed here) External FQDN with single IP address: What can we see here? If we are going to choose a single IP address, we would have TCP Port overlapping. Therefore the only way avoiding this is assigning other ports. Additionally we will also see and are reminded that Lync highly depends on DNS. If we have single IP, we must have use single, unique FQDN fo
Read more

MFA with Guest Access and different tenants settings

-
Image
There is an update regarding MFA Multi Factor Authentication. If you are guest with a different Tenant, the MFA Settings are now reflecting the settings of all tenants in a different way. Each MFA setting is reflected and you can setup your MFA device as per tenant and the admin settings allow. Login to your Profile in Office 365/ Azure AD: https://account.activedirectory.windowsazure.com/r/#/profile or https://myapps.microsoft.com Go to your PROFILE: Sign in to https://myapps.microsoft.com Select your account name in the top right, then select profile. Select Additional security verification. If might be happen, your admin hast configured MFA, so you wouldn't see this menu. Simply switch the tenant to the guest tenant where you need to configure MFA. Once you go back to your profile and you will find the MFA device and other settings a usual:
Read more

Skype for Business, Lync and Exchange Web Services (EWS) and different DNS Domains- Exchange crawling e.g. for presence

-
Image
Hi all, (This is an updated version 2.2: 09 .07.201 5 ) This blog entry is valid for Lync 2010, Lync 2013 and Skype for Business Server. Generally, I'll write a new blog article, since the conversion history over multiple device and other service have change with Skype for Business 2015 Server. Once this written, I post the link here. there is always confusion in how Lync is crawling Exchange Web Services (EWS). Generally it is necessary to understand how DNS must be implemented: Just remember, identify if you have DNS Split configuration, different internal and external DNS names and what are your SMTP and SIP Domains. Very often you find in Lync/ Exchange deployments an issue, where the Lync configuration show up with empty: EWS Internal URL EWS External URL and EWS Information = EWS not deployed Therefor Exchange Web Service are not connected deployed and several Lync Integration Features are not working, e.g. Presence Information based on your Outlook Calendar.
Read more